i 

^ G A O 

^ 

United States Government Acconntabillty Office 
Washington, DC 20548 



December 18, 2009 

The Honorable Daniel K. Akaka 
Chairman 

The Honorable Richard Burr 
Ranking Member 
Committee on Veterans’ Affairs 
United States Senate 

The Honorable Bob Filner 
Chairman 

The Honorable Steve Buyer 
Ranking Member 
Committee on Veterans’ Affairs 
House of Representatives 

Subject: Department of Veterans Affairs’ Implementation of Information Security 
Education Assistance Program 

The Veterans Benefits, Health Care, and Information Technology Act of 2006 authorizes 
the Secretary of Veterans Affairs to establish an educational assistance program for 
information security/ The Information Security Education Assistance Program is 
envisioned as a means for the Department of Veterans Affairs (VA) to attract and retain 
individuals with advanced skills in information security. The legislation authorizes the 
agency to establish scholarships for qualified students who pursue doctoral degrees in 
computer science and electrical and computer engineering at accredited institutions and 
to offer educational debt reduction for VA employees who hold doctoral degrees in these 
fields. 

This letter responds to the act’s requirement that we report on the scholarship and 
education debt reduction programs within 3 years of the act’s December 22, 2006, 
enactment.^ As agreed with your offices, our objective was to determine the status of 
VA’s implementation of the program. To accomplish this objective, we analyzed section 
903 of the act, the status of the draft regulations governing the program, and the agency’s 



'Pub. L. No. 109-461, § 903, 120 Stat. 3403, 3460 (Dec. 22, 2006), adding a new Chapter 79, Information 
Security Education Assistance Program, to Title 38 of the U.S. Code. This program is part of Title IX of the 
act known as the Department of Veterans Affairs Information Security Enhancement Act of 2006. 

^Pub. L. No. 109-461, § 903(b), 120 Stat. 3464. 



Page 1 



GAO-10-170R Information Security Education Assistance Program 




process for implementing the program. We interviewed officials in VA’s Office of 
Information and Technology, Office of General Counsel, and Office of Congressional and 
Legislative Affairs and reviewed documents related to the implementation process. To 
gain an understanding of how the department manages other education programs, we 
also interviewed officials in the Veterans Health Administration. In addition, we met with 
officials in the Office of Inspector General and reviewed that office’s reports on VA’s 
Office of Information and Technology. We performed our work from April 2009 to 
December 2009 in accordance with generally accepted government auditing standards. 
These standards require that we plan and perform audits to obtain sufficient, appropriate 
evidence to provide a reasonable basis for our findings and conclusions based on our 
audit objectives. We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objective. 



Results in Brief 

The Department of Veterans Affairs has not begun to award scholarships or offer and 
disburse loan repayments under the Information Security Education Assistance Program, 
although it has taken some steps to implement the program. Since 2006, VA has drafted 
governing regulations, which are now undergoing internal review, and has developed a 
budget impact analysis. After the department’s internal review is completed, several 
additional steps are planned before the regulations are issued, including review by the 
Office of Management and Budget (0MB) and a public comment period. Department 
officials anticipate that the debt-reduction portion of the program wUl begin, and the first 
scholarship candidates will be selected, during 2011. 



Background 

The Veterans Benefits, Health Care, and Information Technology Act was enacted after a 
serious loss of data in 2006 revealed weaknesses in VA’s handling of personally 
identifiable information. Specifically, in May 2006, an information security breach at the 
department occurred involving a stolen hard drive with personal data on millions of 
veterans and their dependents. The incident highlighted the seriousness of weaknesses 
in the department’s information security. In testimony shortly after the breach, we noted 
that for many years, significant concerns had been raised about VA’s information 
security — particularly its lack of a robust information security program, which is vital to 
minimizing the risk of compromise of government information, including sensitive 
personal information.^ 



^GAO, Veterans Affairs: Leadership Needed to Address Information Security Weaknesses and Privacy 
Issues, GAO-06-866T, (Washington, D.C.: June 14, 2006). 
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One of the programs authorized by the Veterans Benefits, Health Care, and Information 
Technology Act in response to these concerns about VA’s longstanding information 
security weaknesses and the data breach was the Information Security Education 
Assistance Program. Under the act, the Secretary of the Department of Veterans Affairs 
was authorized to establish an education assistance program for doctoral students in 
computer science and computer and electrical engineering to strengthen VA’s ability to 
recruit and retain individuals who have necessary information security skills. The 
program is to have two parts: a debt-reduction program for VA employees who have 
recently earned doctoral degrees, and a scholarship program for qualified individuals 
who must agree to work for the agency on completion of their academic programs. The 
agency is authorized to repay up to $16,500 of student loan debt each year for qualified 
employees up to a total of 5 years and $82,500. Doctoral students may receive full tuition 
scholarships plus a monthly stipend for up to 5 years, not to exceed a total of $200,000. 
According to section 903(c) of the act, the scholarship program may only apply to 
financial assistance provided for an academic semester or term that begins on or after 
August 1, 2007. Authorization to make payments under the program expires on July 31, 
2017. The act also requires VA to prescribe regulations for administering the program. 

The VA unit responsible for implementing the Information Security Education Assistance 
Program is the Office of Information and Technology (OI&T), which oversees the 
department’s information technology (IT) assets and resources including information 
security and privacy. Within OI&T, two offices have managed the implementation efforts: 
the Office of Information Technology Resource Management, which is responsible for 
human capital and IT budgeting, and the Office of Information Protection and Risk 
Management, which is responsible for information security. VA’s Office of General 
Counsel also has a role. General Counsel’s Office of Regulation Policy and Management 
monitors and reviews proposed regulations, provides regulatory impact analyses, and is 
VA’s regulatory liaison with 0MB. 



VA Has Begun Implementing the Program but Considerable Work Remains 
Before Financial Assistance Can Begin 

VA is in the process of developing regulations for administering the program, as called 
for by the act. OI&T’s Office of Information Technology Resource Management began 
work on the regulations and had a draft ready for internal review and concurrence by 
August 2007. Responsibility for managing the concurrence process and ensuring that 
other VA offices reviewed and concurred with the program regulations was assigned, on 
August 1, 2007, to the Office of Information Protection and Risk Management since, 
according to a senior OI&T official, this office would most benefit from the program. The 
status of the review and concurrence process was to be monitored by General Counsel’s 
Office of Regulation Policy and Management. 
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The regulations have not yet been issued. During 2007 and 2008, the Office of Regulation 
Policy and Management sent multiple status inquiries to Information Protection and Risk 
Management. In April 2008, Regulation Policy and Management noted that it had 
received no status updates in about a year. In the summer of 2008, OI&T’s Office of 
Information Technology Resource Management learned, according to a senior official 
within the office, that the draft regulations were still in Information Protection and Risk 
Management and no apparent action had been taken. At that point. Resource 
Management took responsibility for ensuring that the draft regulations were sent forward 
for review and concurrence. Subsequently, in January 2009, the draft regulations were 
sent to VA’s Office of General Counsel for review. In September 2009, the Office of 
General Counsel provided initial comments on the draft regulations. 

VA plans several other actions before issuing the regulations and has outlined a project 
plan for issuing the regulations that includes the remaining steps and milestones. 
Specifically, after final concurrence by the Office of General Counsel and concurrence by 
the other departmental offices, the draft regulations must be approved by the Secretary 
of Veterans Affairs. The department will then submit the draft regulations for review by 
0MB and then for comment from the public. VA officials estimate that, after the 
department addresses these comments and 0MB performs another review, the final 
regulations could be issued in January 2011. 



VA Plans to Begin Program Activities in January 2011 

VA officials anticipate that, if funds are available, the agency will announce the program 
and begin seeking candidates in January 2011 for both the debt reduction and 
scholarship components of the program. More time will elapse before any scholarship 
candidates receive doctoral degrees and are able to apply that educational experience to 
VA’s information security needs.'' 

VA has drafted an impact analysis that estimates the costs for the program and has 
identified two current staff members who may be eligible for debt repayments. In its 
impact analysis, VA estimates that the program will cost at least $217,000 by 2015, based 
on a survey which suggests that the department will have one candidate for the 
scholarship program and three candidates for the debt reduction program within the 
next 5 years. According to VA officials, no funds were allocated to the program in the 
department’s fiscal year 2010 budget. 



^The earliest date to hire a doctoral program graduate who receives a scholarship might be around January 
2012. This date assumes that VA selects a graduate at the program’s start in January 2011 who is in the last 
year of doctoral study. A candidate just starting a doctoral program might take considerably longer. For 
example, Carnegie Mellon University suggests it may take 6 years to complete a Ph.D. in computer science 
and the University of Texas, Austin, estimates 3 to 5 years. 



Page 4 



GAO-10-170R Information Security Education Assistance Program 




Figure 1 summarizes VA’s actions and planned actions, from enactment of the 
authorizing legislation through program implementation. 

Figure 1: Completed and Planned Actions for the Information Security 
Education Assistance Program 




In comments provided via e-mail on a draft of this correspondence, the GAO liaison, VA 
Office of Congressional and Legislative Affairs, stated that the department had reviewed 
the draft report and had no comments to offer at this time. 



We are sending a copy of this letter to the Secretary of Veterans Affairs. In addition, the 
document will be available at no charge on GAO’s Web site at http://www.gao.gov. 

If you have any questions regarding this letter, please contact Gregory C. Wilshusen at 
(202) 512-6244 or wilshuseng@gao.gov, or Valerie C. Melvin at (202) 512-6304 or 
melvinv@gao.gov. Contact points for our Offices of Congressional Relations and Public 
Affairs may be found on the last page of this report. 
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GAO staff who made major contributions to this letter are Charles Vrabel (Assistant 
Director), Monica Perez Anatalio, Neil Doherty, Nancy Glover, Mary Marshall, Lee 
McCracken, Kate Nielsen, Sylvia Shanks, Glenn Spiegel, and Adam Vodraska. 







Gregory C. Wilshusen 

Director, Information Security Issues 

Valerie C. Melvin 

Director, Information Management and Human Capital Issues 



(311024) 
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This is a work of the U.S. government and is not subject to copyright protection in the 
United States. The pubiished product may be reproduced and distributed in its entirety 
without further permission from GAO. However, because this work may contain 
copyrighted images or other materiai, permission from the copyright holder may be 
necessary if you wish to reproduce this material separately. 





GAO’S Mission 


The Government Accountability Office, the audit, evaluation, and 
investigative arm of Congress, exists to support Congress in meeting its 
constitutional responsibilities and to help improve the performance and 
accoimtability of the federal government for the American people. GAO 
examines the use of public funds; evaluates federal programs and policies; 
and provides analyses, recommendations, and other assistance to help 
Congress make informed oversight, policy, and funding decisions. GAO’s 
commitment to good government is reflected in its core values of 
accoimtability, integrity, and reliability. 


Obtaining Copies of 
GAO Reports and 
Testimony 


The fastest and easiest way to obtain copies of GAO documents at no cost 
is through GAO’s Web site (www.gao.gov). Each weekday afternoon, GAO 
posts on its Web site newly released reports, testimony, and 
correspondence. To have GAO e-mail you a list of newly posted products, 
go to www.gao.gov and select “E-mail Updates.” 


Order by Phone 


The price of each GAO publication reflects GAO’s actual cost of 
production and distribution and depends on the number of pages in the 
publication and whether the publication is printed in color or black and 
white. Pricing and ordering information is posted on GAO’s Web site, 
http://www.gao.gov/ordering.htm. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or 
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card, 
MasterCard, Visa, check, or money order. Call for additional information. 


To Report Fraud, 
Waste, and Abuse in 
Federal Programs 


Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 
E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470 


Congressional 

Relations 


Ralph Dawn, Managing Director, dawnr@gao.gov, (202) 512-4400 
U.S. Government Accoimtability Office, 441 G Street NW, Room 7125 
Washington, DC 20548 


Public Affairs 


Chuck Young, Managing Director, youngcl@gao.gov, (202) 512-4800 
U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, DC 20548 



